SE alert
jd1008
jd1008 at gmail.com
Sun Jul 19 02:17:59 UTC 2015
On 07/18/2015 08:09 PM, Ed Greshko wrote:
> On 07/19/15 09:57, jd1008 wrote:
>>
>> On 07/18/2015 07:53 PM, Ed Greshko wrote:
>>> On 07/19/15 09:17, jd1008 wrote:
>>>> debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null
>>>> Inode Pathname
>>>> 47972353 //root
>>>>
>>>> So, why is it trying to do that?
>>>> I am not logged in as root.
>>>>
>>>> How can I find out the process(es) that spawned sh
>>>> to access /root?
>>> OK, so you have determined that the path being accessed and cited by the alert is /root.
>>>
>>> Don't know if the process is still around, but supposedly it was pid=6476.
>>>
>> This is frustrating!!
>> $ ps -p 6476
>> PID TTY TIME CMD
>> $
>>
> That should then mean that the pid= on each sealert is different. Yes?
>
The original I posted says:
type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat
success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0
items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
So, it says pid=6476
but by the time I see the alert, the process is gone!!
More information about the users
mailing list